[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-dev] Re: bug(s) in active response?
- To: ossec-dev@xxxxxxxxxxxxxxxx
- Subject: [ossec-dev] Re: bug(s) in active response?
- From: "Daniel Cid" <dcid@xxxxxxxxx>
- Date: Sat, 28 Jul 2007 00:09:41 -0300
- Content-disposition: inline
- Content-transfer-encoding: 7bit
Hi John,
That's what happens:
-When you don't expect the user name or srcip and it is present, ossec
will not send them
(but send dashes instead).
-If you expect user names or src ips, ossec will only call your script
if they are present.
-Also, that might be your problem. If the ip is in the while list,
ossec will not send them
to the active response scripts.
I just sent in the other e-mail a link to an article that explains a
bit more about
active responses:
http://www.ossec.net/wiki/index.php/Know_How:CustomActiveResponses
* What are the arguments passed to the script?
1. action (delete or add)
2. user name (or - if not set)
3. src ip (or - if not set)
4. Alert id (uniq for every alert)
5. Rule id
6. Agent name/host/filename
Since you have the alert id, you can grep the alert you want or even
the whole rule
information (in the example at the link above I do it).
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/27/07, John Ives <jives@xxxxxxxxxxxxxxxxxxxxx> wrote:
>
>
>
> After banging my head against a wall about why an active response script
> that sent emails was not working as expected, I added code to log
> information to the log/active-response.log and discovered that it didn't
> appear the script was being called at all. When I went back and changed
> the <expects> option to not expect anything (it had previously expected
> srcip and username), I started to get logs and emails (I had always
> gotten alerts for the event that caused it), I noticed that the script
> was not being passed the ip and username at all. Below are the logs
> both from the active-response.log and alerts.log files. One one test
> system I am getting username and srcip most of the time, on another I am
> getting them occasionally, and on the 'production' system I don't seem
> to ever get them. The script itself works, I just don't get the
> information I am expecting at the other end without these two pieces of
> information.
>
> One thing to note is that there seems to be a discrepancy in times.
> When you look at the times in the active-response log, the `date`
> information is the same as the one in the alert log, however, the epoch
> times are different. Specifically, the epoch times in the alert.log are
> the times seen for the previous alert in the active-response logs.
>
> active-response.log
> Fri Jul 27 15:28:19 PDT 2007
> /var/ossec/active-response/bin/login-alert.pl add - - 1185575299.2386412
> 666012
> Fri Jul 27 15:28:47 PDT 2007
> /var/ossec/active-response/bin/login-alert.pl add - - 1185575327.2386707
> 666012
> Fri Jul 27 15:28:47 PDT 2007
> /var/ossec/active-response/bin/login-alert.pl add - - 1185575327.2386985
> 666012
> Fri Jul 27 15:29:11 PDT 2007
> /var/ossec/active-response/bin/login-alert.pl add - - 1185575351.2388825
> 666012
> Fri Jul 27 15:34:32 PDT 2007
> /var/ossec/active-response/bin/login-alert.pl add - - 1185575672.2396850
> 666012
> Fri Jul 27 15:35:00 PDT 2007
> /var/ossec/active-response/bin/login-alert.pl add - - 1185575700.2397152
> 666012
>
> alert.log
> ** Alert 1185575299.2386136: - local
> 2007 Jul 27 15:28:19 system1->/var/log/auth.log
> Rule: 666012 (level 3) -> 'Login to secure server.'
> Src IP: <IP Address>
> User: jives
> Jul 27 15:28:19 system1 sshd[33190]: Accepted keyboard-interactive/pam
> for jives from <IP Address> port 51085 ssh2
>
> ** Alert 1185575327.2386412: - local
> 2007 Jul 27 15:28:47 (system2) <system2 IP>->/var/log/auth.log
> Rule: 666012 (level 3) -> 'Login to secure server.'
> Src IP: <IP Address>
> User: jives
> Jul 27 15:28:47 system2 sshd[13989]: Accepted keyboard-interactive/pam
> for jives from <IP Address> port 51086 ssh2
>
> ** Alert 1185575327.2386707: - local
> 2007 Jul 27 15:28:47 system2->/var/log/auth.log
> Rule: 666012 (level 3) -> 'Login to secure server.'
> Src IP: <IP Address>
> User: jives
> Jul 27 15:28:47 system2 sshd[13989]: Accepted keyboard-interactive/pam
> for jives from <IP Address> port 51086 ssh2
>
> --
> ** Alert 1185575351.2388541: - local
> 2007 Jul 27 15:29:11 system3->/var/log/auth.log
> Rule: 666012 (level 3) -> 'Login to secure server.'
> Src IP: <IP Address>
> User: jives
> Jul 27 15:29:11 system3 sshd[36667]: Accepted keyboard-interactive/pam
> for jives from <IP Address> port 51088 ssh2
>
> --
> ** Alert 1185575672.2396551: - local
> 2007 Jul 27 15:34:32 (system4) <system4 IP>->/var/log/auth.log
> Rule: 666012 (level 3) -> 'Login to secure server.'
> Src IP: <IP Address>
> User: jives
> Jul 27 15:34:31 system4 sshd[32699]: Accepted keyboard-interactive/pam
> for jives from <IP Address> port 51093 ssh2
>
> ** Alert 1185575700.2396850: - local
> 2007 Jul 27 15:35:00 (system5) <system5 IP>->/var/log/auth.log
> Rule: 666012 (level 3) -> 'Login to secure server.'
> Src IP: <IP Address>
> User: jives
> Jul 27 15:34:59 system5 sshd[8464]: Accepted keyboard-interactive/pam
> for jives from <IP Address> port 51094 ssh2
>
>
> Thanks for all the hard work,
>
> John
>
> --
> -------------------------------------------------------------------------
> John Ives Phone (510) 642-7773
> System & Network Security Cell (510) 229-8676
> University of California, Berkeley
> -------------------------------------------------------------------------
>
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.